Subject: Re: encrypted swap?
To: None <tech-security@netbsd.org, tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 06/04/2001 22:11:08
> To me, at least, the point of an encrypted swap area is to defeat
> "seized machine" attacks, not real-time attacks.

I would agree.

There's another point, which just now occurred to me.

Stuff remaining on swap can be good as well as bad.  I was at the
Venema/Farmer talk at IBM, and one of their rich sources of information
was swap partitions - it can be valuable for forensics after a breakin
as well as being valuable to an attacker.

> In other words, the risk is to things like PGP private keys and the
> like.

Agreed again.

> Given that, there's no issue of too much data encrypted with one key.

Now, smb is one of those people of whom I say "if you disagree, it's
probably you that's wrong".

But here I feel I must - it may not turn out to be a _practical_
matter, but it is at least important an issue enough to consider.

There's no issue of too much data _we care about_ encrypted with one
key, perhaps.  But - to pick on the PGP private key example - a lot
more than just the private key is encrypted with a given swap key.  At
the very least, the rest of the affected page is; in the scheme of the
paper, anything else encrypting-swapped to the same (big) chunk of swap
is.  Even with per-process (or per-VM-object) keys, anything else
swapped from that VM object is.

And as I trust we all know that the more data you encrypt with a key,
the easier cryptanalysis is.  And in a seized-machine attack, the
attacker can deduce exactly what the layout of the attacked process's
memory space is, providing a good deal of known plaintext and a bunch
more low-entropy plaintext.

And if we do the encrypted-block-device form, then the whole device,
including a whole lot of known or low-entropy plaintext, is.
(Depending of course on exactly how the encryption layer manages its
keys.)

> The total amount of ciphertext available to the attacker is limited
> by the amount of swap space you have, and that's almost certainly
> small enough that you don't have to worry.

There is that, though: even if you have a whole processful of encrypted
swap, it's probably not enough - even with known-plaintext help
factored in - to mount a successful attack.

I suppose it depends on how paranoid you are.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B